Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.
AnalysisAI
Stack buffer overflow in Music Player Daemon (MPD) versions prior to 0.24.11 allows remote unauthenticated attackers to crash the daemon or potentially execute code by serving a malicious HTTP audio stream processed by the PCM decoder plugin. The flaw stems from an off-by-one miscalculation in pcm_unpack_24be (src/pcm/Pack.cxx) that writes four bytes (three attacker-controlled) past a 1365-entry int32_t stack array. No public exploit identified at time of analysis, but the upstream fix is confirmed via commit 5991102 and release 0.24.11.
Technical ContextAI
MPD is a server-side music streaming daemon (cpe:2.3:a:musicplayerdaemon:mpd) written in C++ that decodes audio from local and remote sources. The vulnerability is a classic CWE-193 (Off-by-One Error) in the 24-bit big-endian PCM unpack routine: the stack buffer is sized as buffer.GetCapacity() / 3, which truncates rather than rounding up, so when the input buffer's capacity is not a multiple of 3, the unpack loop writes one extra int32_t (4 bytes) beyond the array. The upstream patch replaces the integer division with DivideRoundUp(buffer.GetCapacity(), 3), correctly sizing the stack allocation. Because the overflowed bytes originate from the HTTP response body of a remote audio source, an attacker controls three of the four spilled bytes, giving partial control over adjacent stack data such as saved registers or return addresses depending on compiler layout and stack canaries.
RemediationAI
Vendor-released patch: upgrade to MPD 0.24.11 or later, which incorporates commit 59911028c020f84bc2e669da6a1ef88121301274 replacing the truncating division with DivideRoundUp() in src/decoder/plugins/PcmDecoderPlugin.cxx; release details are at https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/ and https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11. Distributions that cannot immediately ship 0.24.11 can backport the one-line patch from the linked commit. As compensating controls until patching, disable the curl/HTTP input plugin in mpd.conf (input { plugin "curl" enabled "no" }) to block remote audio fetches at the cost of losing internet-radio and HTTP playlist support, restrict the MPD control socket and bind_to_address to localhost or a trusted management VLAN so untrusted clients cannot issue the two commands needed to trigger the decode, and run mpd under systemd hardening (NoNewPrivileges, ProtectSystem=strict, MemoryDenyWriteExecute) to limit the blast radius of a successful overflow.
The L2TP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted L2TP control packet
The PPP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted PPP authentication m
Information disclosure in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to read arbit
CRLF injection in Music Player Daemon (MPD) before version 0.24.11 enables network-accessible, unauthenticated attackers
Server-side request forgery in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to bypas
Same weakness CWE-193 – Off-by-one Error
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33000
GHSA-p9r5-qpp4-rjg3